about summary refs log tree commit diff
path: root/spec/models
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2022-11-09 08:24:21 +0100
committerGitHub <noreply@github.com>2022-11-09 08:24:21 +0100
commite98833748e80275a88560155a0b912667dd2d70b (patch)
treeec0d8f68e810e95784efb98e1f603bc86cc247cf /spec/models
parent53817294fc95eabfed6129138f9aaa920e13c4b9 (diff)
Fix being able to spoof link verification (#20217)
- Change verification to happen in `default` queue
- Change verification worker to only be queued if there's something to do
- Add `link` tags from metadata fields to page header of profiles
Diffstat (limited to 'spec/models')
-rw-r--r--spec/models/account/field_spec.rb130
1 files changed, 130 insertions, 0 deletions
diff --git a/spec/models/account/field_spec.rb b/spec/models/account/field_spec.rb
new file mode 100644
index 000000000..7d61a2c62
--- /dev/null
+++ b/spec/models/account/field_spec.rb
@@ -0,0 +1,130 @@
+require 'rails_helper'
+
+RSpec.describe Account::Field, type: :model do
+  describe '#verified?' do
+    let(:account) { double('Account', local?: true) }
+
+    subject { described_class.new(account, 'name' => 'Foo', 'value' => 'Bar', 'verified_at' => verified_at) }
+
+    context 'when verified_at is set' do
+      let(:verified_at) { Time.now.utc.iso8601 }
+
+      it 'returns true' do
+        expect(subject.verified?).to be true
+      end
+    end
+
+    context 'when verified_at is not set' do
+      let(:verified_at) { nil }
+
+      it 'returns false' do
+        expect(subject.verified?).to be false
+      end
+    end
+  end
+
+  describe '#mark_verified!' do
+    let(:account) { double('Account', local?: true) }
+    let(:original_hash) { { 'name' => 'Foo', 'value' => 'Bar' } }
+
+    subject { described_class.new(account, original_hash) }
+
+    before do
+      subject.mark_verified!
+    end
+
+    it 'updates verified_at' do
+      expect(subject.verified_at).to_not be_nil
+    end
+
+    it 'updates original hash' do
+      expect(original_hash['verified_at']).to_not be_nil
+    end
+  end
+
+  describe '#verifiable?' do
+    let(:account) { double('Account', local?: local) }
+
+    subject { described_class.new(account, 'name' => 'Foo', 'value' => value) }
+
+    context 'for local accounts' do
+      let(:local) { true }
+
+      context 'for a URL with misleading authentication' do
+        let(:value) { 'https://spacex.com                                                                                            @h.43z.one' }
+
+        it 'returns false' do
+          expect(subject.verifiable?).to be false
+        end
+      end
+
+      context 'for a URL' do
+        let(:value) { 'https://example.com' }
+
+        it 'returns true' do
+          expect(subject.verifiable?).to be true
+        end
+      end
+
+      context 'for text that is not a URL' do
+        let(:value) { 'Hello world' }
+
+        it 'returns false' do
+          expect(subject.verifiable?).to be false
+        end
+      end
+
+      context 'for text that contains a URL' do
+        let(:value) { 'Hello https://example.com world' }
+
+        it 'returns false' do
+          expect(subject.verifiable?).to be false
+        end
+      end
+    end
+
+    context 'for remote accounts' do
+      let(:local) { false }
+
+      context 'for a link' do
+        let(:value) { '<a href="https://www.patreon.com/mastodon" target="_blank" rel="nofollow noopener noreferrer me"><span class="invisible">https://www.</span><span class="">patreon.com/mastodon</span><span class="invisible"></span></a>' }
+
+        it 'returns true' do
+          expect(subject.verifiable?).to be true
+        end
+      end
+
+      context 'for a link with misleading authentication' do
+        let(:value) { '<a href="https://google.com                                                                                            @h.43z.one" target="_blank" rel="nofollow noopener noreferrer me"><span class="invisible">https://</span><span class="">google.com</span><span class="invisible">                                                                                            @h.43z.one</span></a>' }
+
+        it 'returns false' do
+          expect(subject.verifiable?).to be false
+        end
+      end
+
+      context 'for HTML that has more than just a link' do
+        let(:value) { '<a href="https://google.com" target="_blank" rel="nofollow noopener noreferrer me"><span class="invisible">https://</span><span class="">google.com</span><span class="invisible"></span></a>                                                                                            @h.43z.one' }
+
+        it 'returns false' do
+          expect(subject.verifiable?).to be false
+        end
+      end
+
+      context 'for a link with different visible text' do
+        let(:value) { '<a href="https://google.com/bar">https://example.com/foo</a>' }
+
+        it 'returns false' do
+          expect(subject.verifiable?).to be false
+        end
+      end
+
+      context 'for text that is a URL but is not linked' do
+        let(:value) { 'https://example.com/foo' }
+
+        it 'returns false' do
+          expect(subject.verifiable?).to be false
+        end
+      end
+    end
+  end
+end